Sony Hack: First Lawsuit Filed Against Company by Ex-Employees

The complaint filed in California says that Sony failed to secure its computer systems despite warnings of the threat
Getty Images

Sony Pictures Entertainment will now be forced to defend the security measures it took in advance of the hack thanks to a lawsuit that was filed in California federal court on Monday.

The complaint was filed on behalf of Michael Corona, who says he worked at the company from 2004 to 2007, and Christina Mathis, who says she worked at the company between 2000 and 2002. Both say they had information such as Social Security numbers leaked. Corona also alleges that his salary history and reason for resigning were breached. Both say they have spent money for identity theft protection in the wake of the hack and are suing on behalf of themselves and an estimated 15,000 individuals similarly situated.

"An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees," begins the complaint. "Their most sensitive data, including over 47,000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals."

Read more Sony Hackers Release Latest Batch of Data Tied to "Christmas Gift"

The lawsuit pins blame on Sony for what happened.

"At its core, the story of 'what went wrong' at Sony boils down to two inexcusable problems," says the complaint. "(1) Sony failed to secure its computer systems, servers, and databases ('Network'), despite weaknesses that it has known about for years, because Sony made a 'business decision to accept the risk' of losses associated with being hacked; and (2) Sony subsequently failed to timely protect confidential information of its current and former employees from law-breaking hackers who (a) found these security weaknesses; (b) obtained confidential information of Sony's current and former employees stored on Sony's Network, (c) warned Sony that it would publicly disseminate this information, and (d) repeatedly followed through by publicly disseminating portions of the information that they claim to have obtained from Sony's Network through dumps of internal data from Sony's Network."

The plaintiffs are represented by attorneys at the law firm of Keller Rohrback who are demanding actual and statutory damages, restitution and disgorgement for causes of action that include negligence, health privacy and a California statute requiring notifications of data breaches. They haven't estimated the value of the damages, but they are also demanding equitable relief including forcing Sony to provide credit monitoring for at least five years, identity theft insurance, credit restoration service and requiring Sony receive periodic compliance audits by a third party regarding the security of its computer systems.

The lawsuit is also unusual in nature as it references internal Sony documents exposed in the leak. The plaintiffs are attempting to show that Sony knew about security weaknesses and made a business decision to accept the risks despite previous data breaches. Some of the information from the leaked documents is sourced to news reports like one from Gizmodo said to be reporting that "just two months before the Data Breach became public, Sony released a scathing internal IT assessment. In the report Sony's IT personnel found basic security protocol went unheeded and what little IT security it did have was plagued with unmonitored devices, miscommunication, and a lack of accountability."

Sony general counsel Leah Weil's messages about email retention are quoted as well as those of outside security experts. The lawsuit also recaps past hacking events like the breach of Sony PlayStation user data and how the company reacted in the aftermath.

According to the complaint, "Sony has already acted to protect itself by using hacking methods of its own to combat illegal downloads of its movies that hackers publicly released after the Data Breach," but that Sony hasn't "similarly acted to protect its current and former employees," which the proposed class action says will lead to identity theft vulnerabilities and the possibility of such crimes as immigration crime, false driver's licenses and thieves obtaining government benefits and fraudulent tax refunds.

Twitter: @eriqgardner